You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Register a free account to unlock additional features at BleepingComputer.com

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Getting Redirected Through Google Search Results

Hello, it began 3 or 4 days ago and nothing seems to help. Everytime I klick on a Google result I get redirected through various sites (sometimes and only for a second I see the URL www.mamma.com, but also maxfiles.com and others) to sites such as: www.btcar.com, www.heavy.com, www.adultfinder.com, www.ebay.de, www.mycare.de and so on. I have gone through online-checking, CleanUp, SpyBotS&D, Norton AV (my AV), Adaware. Once I got redirected to a site in the Ukrane (not so sure, but I gave an IP from the HiJackThisLog in Google and read it relates to a Provider in the Ukrane), I saw my IP on the screen and the name of the city I live in. Does this make a sense?

Are you infected?, if you need help, go here!Do you want to learn how you got infected, and how to prevent it? Try looking here!For some free malware removal/prevention tools, and some malware prevention advice, check out my site!

Please don't PM me asking for help, post on the forums instead.

Am I helping you and haven't replied in a few days?, Go ahead and send me a polite PM.

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.The fix will begin; follow the prompts. If your firewall gives an alert, (because this tool will download an additional file from the internet), please don't let your firewall block it, but allow it instead.Then you will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.Once the desktop loads please post the text that will open (report.txt) and a new Hijackthis log

When done post the Fixwareout log and a fresh HijackThis log.

logreeval

Are you infected?, if you need help, go here!Do you want to learn how you got infected, and how to prevent it? Try looking here!For some free malware removal/prevention tools, and some malware prevention advice, check out my site!

Please don't PM me asking for help, post on the forums instead.

Am I helping you and haven't replied in a few days?, Go ahead and send me a polite PM.

Hello, Logreeval, and thank you for your prompt response! I read in a German forum that such a problem (in the HijackThis Log you´ll see an entry with this strange IP: NameServer = 85.255.116.35 85.255.112.65) kann only be solved by formatting the HDD and installing everything new. Would you give that a thought or do you think it can be solved through Fixwareout&Co.? Would formatting be an overreaction?

So, first the Fixwareout Report:

Fixwareout Last edited 2/11/2007Post this report in the forums please ...»»»»»Prerun checkHKLM\SOFTWARE\~\Winlogon\ "System"="kdjjr.exe"

Are you infected?, if you need help, go here!Do you want to learn how you got infected, and how to prevent it? Try looking here!For some free malware removal/prevention tools, and some malware prevention advice, check out my site!

Please don't PM me asking for help, post on the forums instead.

Am I helping you and haven't replied in a few days?, Go ahead and send me a polite PM.

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

First download AVG Anti-Spyware from HERE and save that file to your desktop.This is a 30 day trial of the program

Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double-click it to launch the set up program.

Once the setup is complete you will need run AVG Anti-Spyware and update the definition files.

On the main screen select the icon "Update" then select the "Update now" link.

Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.

Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.

Once in the Settings screen click on "Recommended actions" and then select "Quarantine".

Under "Reports"

Select "Automatically generate report after every scan"

Un-Select "Only if threats were found"

Close AVG Anti-Spyware, Do Not run a scan just yet, we will shortly.

Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess:

Lauch AVG Anti-Spyware by double-clicking the icon on your desktop.

Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".

AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.Once the scan is complete do the following:

If you have any infections you will prompted, then select "Apply all actions"

Next select the "Reports" icon at the top.

Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).

Close AVG Anti-Spyware and reboot your system back into Normal Mode and post the results of the AVG Anti-Spyware report scan.

When done post the AVG AntiSpyware log and a fresh HijackThis log. Also, Are you still getting redirected?

logreeval

Are you infected?, if you need help, go here!Do you want to learn how you got infected, and how to prevent it? Try looking here!For some free malware removal/prevention tools, and some malware prevention advice, check out my site!

Please don't PM me asking for help, post on the forums instead.

Am I helping you and haven't replied in a few days?, Go ahead and send me a polite PM.

Hello, Logreeval! So, I downloaded AVG and ran it in safe mode. "Nothing found" was the result. Is it bad that "resident shield" was inactive in safe mode ? I hope not. I also deleted the two entries in HijackThis. Well, the good news is, I klicked twice on a couple of Google results and didn´t get redirected. The bad news is that this strange Ukrane(not sure )-Server entry is still there (O17 - HKLM\System\CCS\Services\Tcpip\..\{FCCF84C0-346C-4D08-8FA1-370526E686D0}: NameServer = 85.255.116.35 85.255.112.65). Thank you for your patience and help.

An addition: I just noticed that these two numbers (:85.255.116.35 85.255.112.65) are given under Internet Protocol / Properties as DNS Adresses. Is this the problem or only the result of the problem? Thank you.

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

=====

Please go to Start -> Control Panel, and choose Network Connections. Then right click on your default connection, usually Local Area Connection or Dial-up Connection if you are using Dial-up, and left click on properties. Double-click on the Internet Protocol (TCP/IP) item and select the radio button that says Obtain DNS servers automatically. Click OK twice, and restart your computer.

=====

Download and Save Blacklight to your desktop (choose "I ACCEPT" then click "DOWNLOAD" on the website).

You'll see a list of all items found. There will also be a log on your desktop with the name "fsbl.xxxxxxxxxxxxxx.log" (the xxxxxxxxxxxxxx stand for numbers).

Copy and paste this log in your next reply. Don't choose the rename option yet! I want to see the log first, because legitimate items can also be present there, such as "wbemtest.exe"

When done post a fresh HijackThis log and the Blacklight log.

logreeval

Are you infected?, if you need help, go here!Do you want to learn how you got infected, and how to prevent it? Try looking here!For some free malware removal/prevention tools, and some malware prevention advice, check out my site!

Please don't PM me asking for help, post on the forums instead.

Am I helping you and haven't replied in a few days?, Go ahead and send me a polite PM.

And here is the HijackThis Log, the Ukrane Servers are not there anymore, and in a previous scan I saw the two ones from my own provider (Arcor.de), but now I couldn´t find them; Spybot Resident didn´t accept the change of "Main Page, blank" into "Google", should I uninstall Spybot?:

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:

Once the files have been downloaded click on NEXT

Now click on Scan Settings

In the scan settings make that the following are selected:

Scan using the following Anti-Virus database:

Extended (if available otherwise Standard)

Scan Options:

Scan Archives
Scan Mail Bases

Click OK

Now under select a target to scan:Select My Computer

This will program will start and scan your system.

The scan will take a while so be patient and let it run.

Once the scan is complete it will display if your system has been infected.

Now click on the Save as Text button:

Save the file to your desktop.

Copy and paste that information in your next post.

==========

When done post a fresh HijackThis log.

How are things running?

logreeval

Are you infected?, if you need help, go here!Do you want to learn how you got infected, and how to prevent it? Try looking here!For some free malware removal/prevention tools, and some malware prevention advice, check out my site!

Please don't PM me asking for help, post on the forums instead.

Am I helping you and haven't replied in a few days?, Go ahead and send me a polite PM.

Hallo, lieber Logreeval! I ran the Kaspersky Scanner, a Trojaner (sorry, this is the German word for this sort of malware) called Win32.DNSChanger.in and a couple of infected objects are the result. I couldn´t find the "infected objects" in the report, but I underlined the "Trojaner". I´m not much of a help.Here is the report: ------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER REPORT Tuesday, March 27, 2007 3:11:21 PM Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600) Kaspersky Online Scanner version: 5.0.83.0 Kaspersky Anti-Virus database last update: 27/03/2007 Kaspersky Anti-Virus database records: 286811-------------------------------------------------------------------------------

The good news is, I don´t get redirected. Only once, yesterday I did get redirected to a site with my IP and the name of the city I live in, Munich, and an ad about some Antispyware programms (a trojan that wants to sell me antispyware-programms?! ), I didn´t really understand what had gone wrong, ´cause this time I had got redirected through another page and not Google) and I closed the Explorer Page without copying the URL of the site, sorry about that, I don´t have the URL so I can´t post it. Since that I didn´t get redirected anymore. Awaiting new instructions, when you find the time, thanks again!

I am sorry, but I am busy today, but I will try to post back by tonight

Thanks for your patience.

logreeval

Are you infected?, if you need help, go here!Do you want to learn how you got infected, and how to prevent it? Try looking here!For some free malware removal/prevention tools, and some malware prevention advice, check out my site!

Please don't PM me asking for help, post on the forums instead.

Am I helping you and haven't replied in a few days?, Go ahead and send me a polite PM.

That file that was found is located in your System Restore point, what that is is the files that control your system restore, they are locked away and dormant the only time this would be a problem is if you used System restore. We will clear out that file at the end

1. Close all applications and windows. 2. Double-click on dss.exe to run it, and follow the prompts. 3. When the scan is complete, a text file will open in Notepad - main.txt 4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt in your next reply. 5. A folder, C:\Deckard\System Scanner, will also open. In it will be another text file, extra.txt. 6. Please paste the contents of that file into your next post as well.

Note: some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so.

- Create a new folder on your desktop named Regsearch- Extract regsearch.zip file to the newly created folder.- Open the Regsearch folder and double click regsearch.exe to start the program.- Use copy and paste to enter the following bold text to search for and click OK.

{C9763878-801D-4106-957D-F1AFCF0CAE54}

- Notepad will be opened with text in it (the file will also be saved in the Regsearch folder as well).

Post this text in your next reply along with the DSS log.

logreeval

Edited by logreeval, 27 March 2007 - 06:25 PM.

Are you infected?, if you need help, go here!Do you want to learn how you got infected, and how to prevent it? Try looking here!For some free malware removal/prevention tools, and some malware prevention advice, check out my site!

Please don't PM me asking for help, post on the forums instead.

Am I helping you and haven't replied in a few days?, Go ahead and send me a polite PM.

P.S.: Somewhere in the reports I saw the name of a file (kddjr.exe), which - as I searched in Google - is a form of this Trojan Win32.DNSchanger.in. But I couldn´t understand whether it has been removed or not. I think that it has been removed by Fixwareout, Spybot refused to accept some changes in Winlogon (I have memorized the procedure, but I haven´t got a clue, what all this jargon means!) made by Fixwareout. Should I ru